Solved That fake "Chrome" browser.exe infection

Eric Witzling

Posts: 120   +2
Bit of history on this one.

Two days ago I was called in because the computer was operating slowly. Taking a look, there were dozens of dllhost.exe processes running, taking up memory space largely in the 30MB to 250MB range. I ran normal cleanup tools up to and including tdsskiller (which cured two Win32.patched.pj trojans infecting c:\Windows\system32\rpcss.dll - identified as "DcomLaunch" and "RpcSs" services), rkill, JRT, adwcleaner, and combofix. Following that, I allowed the onboard A/V and anti-malware (Vipre Business and MalwareBytes) to run manual scans, along with SuperAntiSpyware portable.

The tdss-detected trojans remained gone and the dllhost.exe processes never returned, and things seemed OK. Yesterday, however, users reported "Chrome Errors" popping up on-screen where it would crash. Chrome is installed on the PC, but it was not in use, and I was instead seeing dozes of "browser.exe" processes running, and also "werfault.exe"s as the errors built up.

The browser.exe processes are task-killable, but pop up shortly afterward. I traced them to some folders in the user's LocalLow directory (CottonVisual, ReceiverRadio, ReceiverSync) that are recreated even if deleted. This seems to be a pretty recent type of infection, which nothing has caught up to yet. Will appreciate any and all advice.

-----------------------------------------------

I can't install the version of MalwareBytes you mention, because MB has already been on and installed for years. There is a monitoring and maintenance software package on these computers that include MB 1.65.1.1000

I can paste the log from the manual scan I ran after the other tools, however:

Malwarebytes Anti-Malware (MSP) 1.65.1.1000
www.malwarebytes.org

Database version: v2014.08.26.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
bella :: NCJAR-NEX-1011 [administrator]

Protection: Enabled

8/26/2014 4:08:03 PM
mbam-log-2014-08-26 (16-08-03).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 629629
Time elapsed: 1 hour(s), 35 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\ (Rootkit.Poweliks) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\ProgramData\OhlapGedce\OhlapGedce.dat (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\setup\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\etzia.exe (Trojan.Zbot.gen) -> Quarantined and deleted successfully.

(end)


-------------------------------

I cannot at the moment run DDS with the PC offline and A/V disconnected. If you need me to do that, I should be able to at a later date. Results are below:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16545
Run by bella at 11:04:33 on 2014-08-28
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3493.2394 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\PROGRA~1\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\PROGRA~1\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\SAAZOD\zRealTime\SAAZappr.exe
C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe
C:\PROGRA~1\SAAZOD\zRealTime\rtHlpDk.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe
C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\UI0Detect.exe
C:\PROGRA~1\SAAZOD\zSCC\zInCCM.exe
C:\PROGRA~1\SAAZOD\zSCC\zCCM.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\timeout.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
uRun: [ocx] "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden "[reflection.assembly]::load((gp -path 'hkcu:software\classes\clsid').OCX).GetType('gm.ks').GetMethod('m').Invoke(0,@('Installer'));"
uRun: [BrowserWireless] c:\windows\system32\rundll32.exe "c:\users\bella\appdata\local\browserwireless\BrowserWireless.dll",DllRegisterServer
mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe
mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [PC Meter Connect] c:\program files\pitney bowes\pc meter connect\mailstationAssistant.exe minimize
mRun: [SBAMTray] "c:\program files\gfi software\gfiagent\SBAMTray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Launcher] c:\program files\sminst\Launcher.exe
StartupFolder: c:\users\bella\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\bella\appdata\roaming\dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://control.itsupport247.net/components/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=722
TCP: NameServer = 192.168.0.20
TCP: Interfaces\{C8C75108-648B-43C0-B933-860C92875C7D} : NameServer = 192.168.0.20,8.8.8.8,208.67.222.222
TCP: Interfaces\{C8C75108-648B-43C0-B933-860C92875C7D} : DHCPNameServer = 192.168.0.20
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\37.0.2062.94\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
IFEO: ehshell.exe - "c:\program files\logmein\x86\LogMeInSystray.exe" -MceShellRedirect
.
============= SERVICES / DRIVERS ===============
.
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2011-10-17 13592]
R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2011-10-17 112800]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 13624]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-10-20 47640]
R2 MBAMScheduler;MBAMScheduler;c:\progra~1\saazod\malwarebytes' anti-malware\mbamscheduler.exe [2013-1-6 399432]
R2 MBAMService;MBAMService;c:\progra~1\saazod\malwarebytes' anti-malware\mbamservice.exe [2013-1-6 676936]
R2 SAAZappr;SAAZ RMM Agent Presence-PR;c:\progra~1\saazod\zrealtime\SAAZappr.exe [2011-5-31 82760]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\saazod\SAAZDPMACTL.exe [2011-10-19 86856]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\saazod\SAAZScheduler.exe [2011-10-19 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\saazod\SAAZServerPlus.exe [2009-4-30 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\saazod\SAAZWatchDog.exe [2011-10-19 86856]
R2 SBAMSvc;VIPRE Business;c:\program files\gfi software\gfiagent\SBAMSvc.exe [2012-10-16 3675976]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-8-1 66344]
R2 SBPIMSvc;SB Recovery Service;c:\program files\gfi software\gfiagent\SBPIMSvc.exe [2012-10-16 175496]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\intel\intel(r) management engine components\uns\UNS.exe [2011-10-17 2656536]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-10-17 269824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-1-6 22856]
R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-10-17 41088]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-6-10 69504]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2011-6-10 161664]
R3 sbwtis;sbwtis;c:\windows\system32\drivers\sbwtis.sys [2012-10-15 75552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [2010-7-30 20600]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-5-16 43368]
S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe --> c:\progra~1\mcafee\sitead~1\mcsacore.exe [?]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-10-20 1343400]
S4 SAAZapsc;SAAZ RMM Agent Presence-SC;c:\progra~1\saazod\zrealtime\SAAZapsc.exe [2011-5-31 82760]
S4 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\saazod\SAAZRemoteSupport.exe [2011-10-19 78664]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
S4 ZEvtSVC;ZEvtSVC;c:\progra~1\saazod\zscc\zEvtSVC.exe [2011-8-9 232752]
.
=============== Created Last 30 ================
.
2014-08-28 14:11:46 -------- d-sh--w- C:\$RECYCLE.BIN
2014-08-28 13:57:20 -------- d-----w- C:\ComboFix
2014-08-28 13:42:31 -------- d-----w- C:\FRST
2014-08-28 09:15:52 62576 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d12a5873-8071-40f5-b2be-dc99599d41db}\offreg.dll
2014-08-28 09:14:45 8581864 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d12a5873-8071-40f5-b2be-dc99599d41db}\mpengine.dll
2014-08-27 17:28:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-08-26 20:12:31 -------- d-----w- c:\users\bella\appdata\roaming\SUPERAntiSpyware.com
2014-08-26 20:12:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2014-08-26 18:56:51 98816 ----a-w- c:\windows\sed.exe
2014-08-26 18:56:51 256000 ----a-w- c:\windows\PEV.exe
2014-08-26 18:56:51 208896 ----a-w- c:\windows\MBR.exe
2014-08-26 18:45:13 -------- d-----w- c:\windows\ERUNT
2014-08-26 18:40:52 -------- d-----w- C:\AdwCleaner
2014-08-26 18:22:41 -------- d-----w- C:\TDSSKiller_Quarantine
2014-08-26 04:48:58 -------- d-----w- c:\programdata\OhlapGedce
2014-08-25 03:56:23 -------- d-----w- C:\5a792bb
2014-08-23 22:30:50 -------- d-----w- c:\users\bella\appdata\local\BrowserWireless
2014-08-21 04:04:09 509440 ----a-w- c:\windows\system32\qedit.dll
2014-08-17 12:54:22 -------- d-----w- c:\users\bella\appdata\local\ServerAudio
2014-08-12 19:35:24 -------- d--h--w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2014-08-03 09:11:17 -------- d-----w- c:\users\bella\appdata\roaming\b65b63
2014-08-03 09:11:12 -------- d-----w- c:\users\bella\appdata\local\b65b63
2014-08-03 09:10:01 -------- d-----w- c:\users\bella\appdata\local\3328503800
.
==================== Find3M ====================
.
2014-08-26 18:32:04 376832 ----a-w- c:\windows\system32\rpcss.dll
2014-08-05 13:20:02 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-07-19 13:10:33 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2014-07-19 13:10:33 53064 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2014-07-19 13:10:32 85832 ----a-w- c:\windows\system32\LMIinit.dll
2014-07-19 13:10:32 31560 ----a-w- c:\windows\system32\LMIport.dll
2014-06-18 01:51:32 646144 ----a-w- c:\windows\system32\osk.exe
2014-06-18 00:52:00 2350080 ----a-w- c:\windows\system32\win32k.sys
2014-06-09 13:08:49 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2014-06-05 14:26:50 1059840 ----a-w- c:\windows\system32\lsasrv.dll
.
============= FINISH: 11:05:16.65 ===============




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/19/2011 5:00:53 PM
System Uptime: 8/28/2014 9:35:53 AM (2 hours ago)
.
Motherboard: Intel Corporation | | DH67BL
Processor: Intel(R) Core(TM) i3-2102 CPU @ 3.10GHz | LGA1155 | 1581/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 455 GiB total, 403.56 GiB free.
E: is Removable
G: is CDROM ()
R: is NetworkDisk (NTFS) - 250 GiB total, 173.813 GiB free.
T: is NetworkDisk (NTFS) - 250 GiB total, 173.813 GiB free.
U: is NetworkDisk (NTFS) - 250 GiB total, 173.813 GiB free.
W: is NetworkDisk (NTFS) - 250 GiB total, 173.813 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: mbr
Device ID: ROOT\LEGACY_MBR\0000
Manufacturer:
Name: mbr
PNP Device ID: ROOT\LEGACY_MBR\0000
Service: mbr
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SASDIFSV
Device ID: ROOT\LEGACY_SASDIFSV\0000
Manufacturer:
Name: SASDIFSV
PNP Device ID: ROOT\LEGACY_SASDIFSV\0000
Service: SASDIFSV
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SASKUTIL
Device ID: ROOT\LEGACY_SASKUTIL\0000
Manufacturer:
Name: SASKUTIL
PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
Service: SASKUTIL
.
Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
Description: Unknown Device
Device ID: USB\VID_0000&PID_0000\6&1A0384BD&0&2
Manufacturer: (Standard USB Host Controller)
Name: Unknown Device
PNP Device ID: USB\VID_0000&PID_0000\6&1A0384BD&0&2
Service:
.
==== System Restore Points ===================
.
RP7551: 7/18/2014 5:44:15 AM - Windows Update
RP7552: 7/21/2014 9:42:48 PM - Windows Update
RP7553: 7/21/2014 9:43:44 PM - Windows Update
RP7554: 7/21/2014 9:44:01 PM - Windows Update
RP7555: 7/21/2014 9:44:27 PM - Windows Update
RP7556: 7/21/2014 9:44:52 PM - Windows Update
RP7557: 8/26/2014 7:24:00 PM - Scheduled Checkpoint
RP7558: 8/28/2014 5:13:55 AM - Windows Update
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader XI (11.0.07)
Avery Wizard 4.0
D3DX10
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dropbox
FileMaker Pro 8.5
GFI Business Agent
Google Chrome
Google Update Helper
Intel(R) Control Center
Intel(R) Management Engine Components
Intel(R) Network Connections 16.5.2.0
Intel(R) Processor Graphics
Intel(R) Rapid Storage Technology
ITSupport247-DPMA
Junk Mail filter update
KONICA MINOLTA bizhub 751/601
LG CyberLink LabelPrint
LG CyberLink Power2Go
LG CyberLink PowerBackup
LG CyberLink YouCam
LG Power Tools
LogMeIn
Malwarebytes Anti-Malware version 1.65.1.1000
Mesh Runtime
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft IntelliPoint 8.2
Microsoft IntelliType Pro 8.2
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Business 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nexlink Recovery Center
PC Meter Connect
Realtek High Definition Audio Driver
Renesas Electronics USB 3.0 Host Controller Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2931365)
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2767915) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2810073) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition
Security Update for Microsoft Publisher 2010 (KB2553147) 32-Bit Edition
ShopAtHome.com Helper
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Excel 2010 (KB2837600) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition
Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition
Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition
Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition
Update for Microsoft Word 2010 (KB2880529) 32-Bit Edition
Windows Driver Package - Pitney Bowes (DM150Drv) USB (07/04/2010 2.0.1.5)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== Event Viewer Messages From Past Week ========
.
8/28/2014 9:36:28 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
8/28/2014 9:36:14 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain NORTHCENT due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
8/28/2014 9:30:15 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WPDBusEnum service.
8/28/2014 9:28:54 AM, Error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:54 AM, Error: Service Control Manager [7034] - The Interactive Services Detection service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:54 AM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/28/2014 9:28:46 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SB Recovery Service service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SAAZWatchDog service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SAAZServerPlus service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SAAZScheduler service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SAAZDPMACTL service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SAAZ RMM Agent Presence-PR service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The LogMeIn Maintenance Service service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The Intel(R) Rapid Storage Technology service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The Intel(R) PROSet Monitoring Service service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The Intel(R) Management and Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).
8/28/2014 9:28:45 AM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
8/28/2014 9:28:45 AM, Error: Service Control Manager [7031] - The Intel(R) Management and Security Application Local Management Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
8/28/2014 10:10:42 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
8/26/2014 4:08:59 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer NCJARTERM that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C8C75108-648B-43C0-B933-860C9287. The master browser is stopping or an election is being forced.
.
==== End Of File ===========================
 
Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================

You need to uninstall your MBAM version and install the newest one.

Why exactly are you offline and why your AV program is off?
 
The PC was not offline. I mentioned that I could not run DDS with the network disconnected, as I was only able to connect remotely at that point. (Step 3, Note 1 suggests "After downloading the tool, disconnect from the internet and disable all antivirus protection.") I was specifying that I did not do that before running DDS and linking the logs above, but that I could disconnect at another time if necessary.

I cannot really make changes to MalwareBytes on this machine, as it is a part of the installed platform, and is driven by back-end software. They are licensed only for this version. Quick tests run every day, and full scans every two days. If I change up the software, it will break their scripting. Unless there is a portable version of MBAM 2.0 you can point me to. (But I think those are only available with a technician subscription.) Or do you know if MBAM 2.0 can be installed in tandem with an earlier version? (I am not aware that it can do this, either.)

Can we proceed with other tools, or work off the existing DDS logs above?
 
redtarget.gif
Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

  • Close all the running programs
  • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

redtarget.gif
Create new restore point before proceeding with the next step....
How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

Download http://www.imgdumper.nl/uploads6/51a5f31352f71/51a5f31352b88-icon_MBAR.png][/url][b][url=https://www.techspot.com/downloads/5603-malwarebytes-anti-rootkit.html][color=#0000FF]Malwarebytes Anti-Rootkit[/color][/url][/b] to your desktop.
[LIST]
[*][b][color=#FF0000]Warning![/color][/b] [I]Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.[/I]
[*]Double click on downloaded file. OK self extracting prompt.
[*]MBAR will start. Click "[b]Next[/b]" to continue.
[*]Click in the following screen "[b]Update[/b]" to obtain the latest malware definitions.
[*]Once the update is complete select "[b]Next[/b]" and click "[b]Scan[/b]".
[*]When the scan is finished and no malware has been found select "[b]Exit[/b]".
[*]If malware was detected, make sure to check all the items and click "[b]Cleanup[/b]". Reboot your computer.
[*]Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
[LIST]
[*][b]"mbar-log-[I]{date} (xx-xx-xx)[/I].txt"[/b]
[*][b]"system-log.txt"[/b]
[/LIST]
[/LIST]

P. S. I'm going out of town this afternoon. I'll be back on Sunday evening.
 
Thanks for the continuance. As a quick aside, when the browser.exe processes were constantly being re-created I noticed there were some rundll32.exe processes in the background as well. When I killed both of those as well, the browser.exe problem did not return, and nothing else was showing "browser crash" errors. So thankfully for now things are under control. (Just not yet cured at the source.)

----------------------------------------------

RogueKiller V9.2.8.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : bella [Admin rights]
Mode : Remove -- Date : 08/29/2014 16:30:08

¤¤¤ Bad processes : 2 ¤¤¤
[Proc.Svchost] svchost.exe -- C:\Windows\System32\svchost.exe[x] -> [NoKill]
[Suspicious.Path] (SVC) catchme -- \??\C:\Users\bella\AppData\Local\Temp\catchme.sys[x] -> STOPPED

¤¤¤ Registry Entries : 28 ¤¤¤
[Suspicious.Path] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | gphuntu : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\gphuntu.dll",gphuntu [x] -> DELETED
[Suspicious.Path] HKEY_USERS\S-1-5-21-336078627-3664855205-978596220-1153\Software\Microsoft\Windows\CurrentVersion\Run | BrowserWireless : C:\Windows\system32\rundll32.exe "C:\Users\bella\AppData\Local\BrowserWireless\BrowserWireless.dll",DllRegisterServer [x] -> DELETED
[Suspicious.Path] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | gphuntu : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\gphuntu.dll",gphuntu -> ERROR [2]
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SASDIFSV -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SASKUTIL -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mbr -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASDIFSV -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASKUTIL -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mbr -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SASDIFSV -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SASKUTIL -> NOT SELECTED
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> NOT SELECTED
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> NOT SELECTED
[PUM.StartMenu] HKEY_USERS\S-1-5-21-336078627-3664855205-978596220-1153\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> NOT SELECTED
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> NOT SELECTED
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
[PUM.SearchPage] HKEY_USERS\S-1-5-21-336078627-3664855205-978596220-1153\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
[Tr.Poweliks] HKEY_USERS\.DEFAULT\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> DELETED
[Tr.Poweliks] HKEY_USERS\S-1-5-21-336078627-3664855205-978596220-1153\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> DELETED
[Tr.Poweliks] HKEY_USERS\S-1-5-18\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> ERROR [2]

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AAKX-001CA0 +++++
--- User ---
[MBR] d452d056636c092a221d95c01a4bfb7c
[BSP] 84e48c58e691bbec0181b4693c809b20 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10679 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 21872640 | Size: 466260 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Multi Flash Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_08292014_162914.log


------------------------------------------------------------------------------------------------------


MBAR detected no malware, so not logs to post.



Thanks for your time, meanwhile. Have a great weekend!
 
Still here for a bit...

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
I'll check in on it later this weekend. I ran Rkill and Combofix multiple times while trying to suss things out before posting here, so I don't think they'd do much anyway.

I haven't noticed the behavior returning after a reboot, so I think RogueKiller may have been what found and removed the active component. I'll see if it comes back over time and after a few reboots, and follow up here as necessary.


Start having that great weekend now. ;-)
 
I posted my rules at the very beginning.
One of them says:

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

I need to see Combofix log.
Then we'll continue with more scans.
 
There were some popups waiting for me after I ran Combofix. browser.exe and two rundll32.exe processes have been waiting for me in the background. They were not there before I ran Combofix just now, leading me to believe they're attached to explorer.exe restarting. (Maybe a network process?)

Combofix itself ran without issue, however.

------------------------------

ComboFix 14-08-31.01 - bella 09/01/2014 15:33:18.3.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3493.2122 [GMT -4:00]
Running from: c:\download\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2014-08-01 to 2014-09-01 )))))))))))))))))))))))))))))))
.
.
2014-09-01 19:42 . 2014-09-01 19:42 -------- d-----w- c:\users\setup\AppData\Local\temp
2014-09-01 19:42 . 2014-09-01 19:42 -------- d-----w- c:\users\mor1\AppData\Local\temp
2014-09-01 19:42 . 2014-09-01 19:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-01 19:42 . 2014-09-01 19:42 -------- d-----w- c:\users\crystal\AppData\Local\temp
2014-09-01 19:42 . 2014-09-01 19:42 -------- d-----w- c:\users\administrator\AppData\Local\temp
2014-08-30 04:43 . 2014-08-30 04:43 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{74D14E3C-5678-400C-8514-9869B9A2E3D4}\offreg.dll
2014-08-29 20:35 . 2014-08-29 21:11 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-08-29 20:34 . 2014-08-29 20:34 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-08-29 20:22 . 2014-08-29 20:22 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-08-29 20:22 . 2014-08-29 20:22 -------- d-----w- c:\programdata\RogueKiller
2014-08-29 06:09 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{74D14E3C-5678-400C-8514-9869B9A2E3D4}\mpengine.dll
2014-08-28 13:42 . 2014-08-28 13:45 -------- d-----w- C:\FRST
2014-08-27 17:28 . 2010-08-30 12:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-08-26 20:12 . 2014-08-26 20:12 -------- d-----w- c:\users\bella\AppData\Roaming\SUPERAntiSpyware.com
2014-08-26 20:12 . 2014-08-26 20:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2014-08-26 18:45 . 2014-08-26 18:45 -------- d-----w- c:\windows\ERUNT
2014-08-26 18:40 . 2014-08-26 18:41 -------- d-----w- C:\AdwCleaner
2014-08-26 18:22 . 2014-08-26 18:31 -------- d-----w- C:\TDSSKiller_Quarantine
2014-08-26 04:48 . 2014-08-26 22:11 -------- d-----w- c:\programdata\OhlapGedce
2014-08-25 03:56 . 2014-08-26 03:11 -------- d-----w- C:\5a792bb
2014-08-23 22:30 . 2014-08-23 22:30 -------- d-----w- c:\users\bella\AppData\Local\BrowserWireless
2014-08-21 04:04 . 2014-06-06 09:44 509440 ----a-w- c:\windows\system32\qedit.dll
2014-08-17 12:54 . 2014-08-21 02:45 -------- d-----w- c:\users\bella\AppData\Local\ServerAudio
2014-08-12 19:35 . 2014-08-13 09:45 -------- d--h--w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2014-08-03 09:11 . 2014-08-03 09:11 -------- d-----w- c:\users\bella\AppData\Roaming\b65b63
2014-08-03 09:11 . 2014-08-03 15:22 -------- d-----w- c:\users\bella\AppData\Local\b65b63
2014-08-03 09:10 . 2014-08-04 13:30 -------- d-----w- c:\users\bella\AppData\Local\3328503800
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-29 07:15 . 2010-06-24 15:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-26 18:32 . 2010-11-20 21:29 376832 ----a-w- c:\windows\system32\rpcss.dll
2014-08-05 13:20 . 2011-10-19 21:14 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-07-19 13:10 . 2011-10-20 14:51 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2014-07-19 13:10 . 2011-10-20 14:51 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2014-07-19 13:10 . 2011-10-20 14:51 31560 ----a-w- c:\windows\system32\LMIport.dll
2014-07-19 13:10 . 2011-10-20 14:51 85832 ----a-w- c:\windows\system32\LMIinit.dll
2014-06-09 13:08 . 2011-10-20 14:51 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ocx"="c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden [Reflection.Assembly]::Load((gp -Path 'hkcu:software\classes\clsid').OCX).GetType('gm.ks').GetMethod('m').Invoke(0" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-08-16 10820200]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-14 113288]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-20 222504]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-09-01 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-09-01 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-09-01 176408]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"PC Meter Connect"="c:\program files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe" [2012-02-07 3514368]
"SBAMTray"="c:\program files\GFI Software\GFIAgent\SBAMTray.exe" [2012-10-16 3226504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files\SMINST\Launcher.exe" [2010-04-02 237568]
.
c:\users\bella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\bella\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-7-29 36414496]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^bella^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\bella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-12-21 06:04 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserWireless]
2014-08-27 13:23 292352 ----a-w- c:\users\bella\AppData\Local\BrowserWireless\BrowserWireless.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBAMTray]
2012-10-16 20:29 3226504 ----a-w- c:\program files\GFI Software\GFIAgent\SBAMTray.exe
.
R1 SASDIFSV;SASDIFSV;c:\users\bella\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\bella\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R3 DM150Drv;DM150Drv;c:\windows\system32\DRIVERS\DM150Drv.sys [2010-07-30 20600]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-20 1343400]
R4 SAAZapsc;SAAZ RMM Agent Presence-SC;c:\progra~1\SAAZOD\zRealTime\SAAZapsc.exe SAAZapsc [x]
R4 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [2011-10-19 78664]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
R4 ZEvtSVC;ZEvtSVC;c:\progra~1\SAAZOD\zSCC\zEvtSVC.exe [2012-11-09 232752]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-06-29 112800]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2014-07-19 375120]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2013-05-24 13624]
S2 MBAMScheduler;MBAMScheduler;c:\progra~1\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 MBAMService;MBAMService;c:\progra~1\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
S2 SAAZappr;SAAZ RMM Agent Presence-PR;c:\progra~1\SAAZOD\zRealTime\SAAZappr.exe SAAZappr [x]
S2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.exe [2011-10-19 86856]
S2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [2011-10-19 77824]
S2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [2009-04-30 77824]
S2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\SAAZWatchDog.exe [2011-10-19 86856]
S2 SBAMSvc;VIPRE Business;c:\program files\GFI Software\GFIAgent\SBAMSvc.exe [2012-10-16 3675976]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-08-01 66344]
S2 SBPIMSvc;SB Recovery Service;c:\program files\GFI Software\GFIAgent\SBPIMSvc.exe [2012-10-16 175496]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-05-04 2656536]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-28 45288]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-05-23 43368]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 22856]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-06-10 69504]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-06-10 161664]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2010-09-17 13408]
S3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [2012-10-16 75552]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
*Deregistered* - MBAMSwissArmy
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-08-30 19:34 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.102\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 02:35]
.
2014-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-16 17:50]
.
2014-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-16 17:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: ncjar.com\www
TCP: DhcpNameServer = 192.168.0.20
TCP: Interfaces\{C8C75108-648B-43C0-B933-860C92875C7D}: NameServer = 192.168.0.20,8.8.8.8,208.67.222.222
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:a4,03,e1,5a,85,b1,cf,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-01 15:44:28
ComboFix-quarantined-files.txt 2014-09-01 19:44
ComboFix2.txt 2014-08-28 14:13
ComboFix3.txt 2014-08-26 19:26
.
Pre-Run: 430,949,556,224 bytes free
Post-Run: 436,279,566,336 bytes free
.
- - End Of File - - 0E28F15C486538E0561E4BCCEE74BE8C
5C616939100B85E558DA92B899A0FC36
 
redtarget.gif
Running from: c:\download\ComboFix.exe
Please move Combofix file to proper location - Desktop

redtarget.gif
Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

redtarget.gif
Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

redtarget.gif
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.
 
Is there a particular reason the malware tool file location matters, in this circumstance? The profile you launch it in matters, of course, but I don't think I have run across a time when the launch-from directory matters, so long as the security privileges The purpose of C:\download is that it is an internally-created and -used directory that is excluded from A/V and A/M and granted automatic firewall and router permissions (as needed) so that we can run certain tools on machines without conflict with on-board protection or group policy.

I can't run the other tests yet. The workstation will be in use during the day, and I'm deployed elsewhere. For now the browser.exe processes have not been coming back, since the rundll32.exe have been killed, so the customer is able to work a normal day. Will get back to after hours tonight.
 
Is there a particular reason the malware tool file location matters
Yes. At the end of our procedure we'll run cleaning tool which will remove all tools we've been using.
If some tool is not located on your Desktop the cleaning tool won't find it.
 
Yes, sorry. I've been having to work around the user's schedule and getting her to not shut down the PC at night, and when I was able to get in on Friday and could start running ADWcleaner, I got locked out in some fashion. Only just got back in the office today, after a morning onsite.

I'll have to arrange a time when I can get to the PC locally, I think.
 
Couldn't get to the PC locally. On it remotely. Fingers crossed that I don't get locked out. ;-)

It hasn't been pressing for the user, since I provided a batch file that kills the problem while it's running. Sorry for the lengthy delays.
 
Haha... nope! AdwCleaner completely thrashes my remote connection, for some reason, after telling it to perform the cleanup and reboot. (Looks like it knocks out my LMI tools, but does not successfully reboot. Maybe I can script my way around that, too. But not today.)
 
At last!


---------------------------------------

# AdwCleaner v3.310 - Report created 16/09/2014 at 16:33:09
# Updated 12/09/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : bella - NCJAR-NEX-1011
# Running from : C:\Users\bella\Desktop\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****
-\\ Internet Explorer v9.0.8112.16545

-\\ Google Chrome v37.0.2062.120
[ File : C:\Users\bella\AppData\Local\Google\Chrome\User Data\Default\preferences ]
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
*************************
AdwCleaner[R1].txt - [792 octets] - [27/08/2014 13:27:20]
AdwCleaner[R2].txt - [863 octets] - [28/08/2014 09:27:31]
AdwCleaner[R3].txt - [1327 octets] - [05/09/2014 17:26:49]
AdwCleaner[R4].txt - [1242 octets] - [15/09/2014 16:37:27]
AdwCleaner[R5].txt - [1362 octets] - [16/09/2014 16:32:03]
AdwCleaner[S1].txt - [547 octets] - [28/08/2014 09:28:54]
AdwCleaner[S2].txt - [753 octets] - [05/09/2014 17:29:23]
AdwCleaner[S3].txt - [546 octets] - [15/09/2014 16:39:09]
AdwCleaner[S4].txt - [1287 octets] - [16/09/2014 16:33:09]
########## EOF - U:\AdwCleaner\AdwCleaner[S4].txt - [1347 octets] ##########



-------------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.5 (09.16.2014:1)
OS: Windows 7 Professional x86
Ran by bella on Tue 09/16/2014 at 16:39:58.54
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services
~~~ Registry Values
Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?
Value Name Type Value Data
========================================================================================
wvxdmfokq REG_SZ rundll32.exe "C:\Users\bella\AppData\Local\CrashDumps\wvxdmfokq.dll",DllRegisterServer

~~~ Registry Keys
~~~ Files
~~~ Folders
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 09/16/2014 at 16:42:29.12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2014
Ran by bella (administrator) on NCJAR-NEX-1011 on 16-09-2014 16:48:28
Running from C:\Users\bella\Desktop
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool:
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\ramaint.exe
(Malwarebytes Corporation) C:\Program Files\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe
(Zenith Infotech Ltd) C:\Program Files\SAAZOD\zRealTime\SAAZappr.exe
(Zenith Infotech Ltd) C:\Program Files\SAAZOD\SAAZDPMACTL.exe
(Zenith Infotech Ltd) C:\Program Files\SAAZOD\SAAZScheduler.exe
(Zenith Infotech Ltd) C:\Program Files\SAAZOD\SAAZServerPlus.exe
(Zenith Infotech Ltd) C:\Program Files\SAAZOD\SAAZWatchDog.exe
(GFI Software) C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe
(Zenith Infotech Ltd) C:\Program Files\SAAZOD\zRealTime\rtHlpDk.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Renesas Electronics Corporation) C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(CyberLink) C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\itype.exe
(Pitney Bowes, Inc.) C:\Program Files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe
(Dropbox, Inc.) C:\Users\bella\AppData\Roaming\Dropbox\bin\Dropbox.exe
(GFI Software) C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe
(Continuum Managed Services LLC.) C:\Program Files\SAAZOD\zSCC\zInCCM.exe
(Continuum Managed Services LLC.) C:\Program Files\SAAZOD\zSCC\zCCM.exe
(Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(GFI Software) C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Thisisu) C:\Users\bella\Desktop\JRT.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\WerFault.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10820200 2011-08-16] (Realtek Semiconductor)
HKLM\...\Run: [NUSB3MON] => C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2011-04-14] (Renesas Electronics Corporation)
HKLM\...\Run: [UpdateLBPShortCut] => C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [CLMLServer] => C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-12-15] (CyberLink)
HKLM\...\Run: [UpdateP2GoShortCut] => C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM\...\Run: [UCam_Menu] => C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [218408 2009-02-17] (CyberLink Corp.)
HKLM\...\Run: [UpdatePSTShortCut] => C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [222504 2010-04-20] (CyberLink Corp.)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2010-09-17] (LogMeIn, Inc.)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [itype] => c:\Program Files\Microsoft IntelliType Pro\itype.exe [1313640 2011-08-10] (Microsoft Corporation)
HKLM\...\Run: [PC Meter Connect] => C:\Program Files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe [3514368 2012-02-07] (Pitney Bowes, Inc.)
HKLM\...\Run: [SBAMTray] => C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe [3226504 2012-10-16] (GFI Software)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [Launcher] => C:\Program Files\SMINST\Launcher.exe [237568 2010-04-02] (soft thinks)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKU\S-1-5-21-336078627-3664855205-978596220-1153\...\Run: [ocx] => C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [452608 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-336078627-3664855205-978596220-1153\...\Run: [wvxdmfokq] => rundll32.exe "C:\Users\bella\AppData\Local\CrashDumps\wvxdmfokq.dll",DllRegisterServer <===== ATTENTION
Startup: C:\Users\bella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\bella\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x7B2CC4C8A38ECC01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
SearchScopes: HKCU - {214E69C2-1C1F-41A7-B722-788A39E8D635} URL = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://control.itsupport247.net/components/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=722
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.20
Tcpip\..\Interfaces\{C8C75108-648B-43C0-B933-860C92875C7D}: [NameServer] 192.168.0.20,8.8.8.8,208.67.222.222
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchKeyword: Default -> B82890D073B845E7A9E3D8DCE390C6208FB1A46C2B5FB3FCDCE7359A58E13CDB
CHR DefaultSearchURL: Default -> CC2E8E2C7188E37081A968209AA2D279D40D1834D1E88663A583F907622A6227
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\37.0.2062.120\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\37.0.2062.120\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\37.0.2062.120\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll No File
CHR CustomProfile: C:\Users\bella\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\bella\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
CHR Extension: (Google Wallet) - C:\Users\bella\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-16]
========================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 Intel(R) PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [112800 2011-06-29] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe [399432 2012-09-29] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe [676936 2012-09-29] (Malwarebytes Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [45568 2012-02-08] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [55808 2012-02-08] (Hewlett-Packard) [File not signed]
R2 SAAZappr; C:\Program Files\SAAZOD\zRealTime\SAAZappr.exe [82760 2011-05-31] (Zenith Infotech Ltd)
S4 SAAZapsc; C:\Program Files\SAAZOD\zRealTime\SAAZapsc.exe [82760 2011-05-31] (Zenith Infotech Ltd)
R2 SAAZDPMACTL; C:\Program Files\SAAZOD\SAAZDPMACTL.exe [86856 2011-10-19] (Zenith Infotech Ltd)
S4 SAAZRemoteSupport; C:\Program Files\SAAZOD\SAAZRemoteSupport.exe [78664 2011-10-19] (Zenith Infotech Ltd)
R2 SAAZScheduler; C:\Program Files\SAAZOD\SAAZScheduler.exe [77824 2011-10-19] (Zenith Infotech Ltd) [File not signed]
R2 SAAZServerPlus; C:\Program Files\SAAZOD\SAAZServerPlus.exe [77824 2009-04-30] (Zenith Infotech Ltd) [File not signed]
R2 SAAZWatchDog; C:\Program Files\SAAZOD\SAAZWatchDog.exe [86856 2011-10-19] (Zenith Infotech Ltd)
R2 SBAMSvc; C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe [3675976 2012-10-16] (GFI Software)
R2 SBPIMSvc; C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe [175496 2012-10-16] (GFI Software)
S4 ZEvtSVC; C:\Program Files\SAAZOD\zSCC\zEvtSVC.exe [232752 2012-11-09] (Continuum Managed Services LLC.)
S3 McAfee SiteAdvisor Service; c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 DM150Drv; C:\Windows\System32\DRIVERS\DM150Drv.sys [20600 2010-07-30] (Pitney Bowes)
R3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [268968 2011-07-20] (Intel Corporation)
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [43368 2013-05-23] (ThreatTrack Security)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2012-09-29] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
R3 nusb3hub; C:\Windows\System32\DRIVERS\nusb3hub.sys [69504 2011-06-10] (Renesas Electronics Corporation)
R3 nusb3xhc; C:\Windows\System32\DRIVERS\nusb3xhc.sys [161664 2011-06-10] (Renesas Electronics Corporation)
R3 radpms; C:\Windows\System32\DRIVERS\radpms.sys [13408 2010-09-17] (LogMeIn, Inc.)
R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [66344 2012-08-01] (GFI Software)
R3 sbwtis; C:\Windows\System32\DRIVERS\sbwtis.sys [75552 2012-10-15] (GFI Software)
S3 catchme; \??\C:\Users\bella\AppData\Local\Temp\catchme.sys [X]
S4 LMIRfsClientNP; No ImagePath
S1 SASDIFSV; \??\C:\Users\bella\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [X]
S1 SASKUTIL; \??\C:\Users\bella\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [X]
==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-09-16 16:48 - 2014-09-16 16:48 - 00014696 _____ () C:\Users\bella\Desktop\FRST.txt
2014-09-16 16:45 - 2014-09-16 16:48 - 01097728 _____ (Farbar) C:\Users\bella\Desktop\FRST.exe
2014-09-16 16:42 - 2014-09-16 16:42 - 00000993 _____ () C:\Users\bella\Desktop\JRT.txt
2014-09-16 16:39 - 2014-09-16 16:39 - 01016035 _____ (Thisisu) C:\Users\bella\Desktop\JRT.exe
2014-09-16 16:31 - 2014-09-16 16:31 - 05579386 _____ (Swearware) C:\Users\bella\Desktop\ComboFix.exe
2014-09-16 16:31 - 2014-09-16 16:31 - 01373475 _____ () C:\Users\bella\Desktop\AdwCleaner.exe
2014-09-16 12:19 - 2014-09-16 12:20 - 00011902 _____ () C:\Users\bella\Documents\Legal Issues with Remax Achievers 9.17.14.xlsx
2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list.csv
2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list (2).csv
2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list (1).csv
2014-09-11 14:05 - 2014-09-11 14:05 - 00009399 _____ () C:\Users\bella\Documents\CE Roster Template.xlsx
2014-09-11 13:49 - 2014-09-11 13:49 - 00146352 _____ (Tim Kosse) C:\Users\bella\AppData\Roaming\ezvbho.exe
2014-09-11 09:13 - 2014-09-16 15:40 - 00015005 _____ () C:\Users\bella\Documents\Cushman and Wakefield Leases 10.5.14.xlsx
2014-09-11 09:09 - 2014-09-16 15:35 - 00014970 _____ () C:\Users\bella\Documents\Cushman and Wakefield Listing Agmts 10.5.14.xlsx
2014-09-10 09:21 - 2014-09-10 09:21 - 00000254 _____ () C:\Windows\system32\AgentDWQ.xml
2014-09-09 15:15 - 2014-09-09 15:15 - 00009615 _____ () C:\Users\bella\Documents\Kids College Schedule Fall 2014.xlsx
2014-09-09 13:03 - 2014-09-12 16:20 - 00014599 _____ () C:\Users\bella\Documents\Cushman and Wakefield One Day CE9.15.14.xlsx
2014-09-09 12:25 - 2014-09-09 12:25 - 00027136 _____ () C:\Users\bella\Documents\Salesperson's Roster 9.2.14.xls
2014-09-09 11:27 - 2014-09-09 11:40 - 00011358 _____ () C:\Users\bella\Documents\KW Livingston Legal Issues 9.10.14.xlsx
2014-09-09 09:42 - 2014-09-09 09:45 - 00009933 _____ () C:\Users\bella\Documents\Employee emails 9.9.14.xlsx
2014-09-08 12:26 - 2014-09-09 16:41 - 00013923 _____ () C:\Users\bella\Documents\Realtor Care Day Roster with emails 9.12.14.xlsx
2014-09-05 10:51 - 2014-09-10 11:25 - 00000000 ____D () C:\Users\bella\AppData\Local\CrashDumps
2014-09-02 15:08 - 2014-08-29 03:18 - 00000050 _____ () C:\Users\bella\Desktop\errorclear.bat
2014-09-02 13:38 - 2014-09-02 14:04 - 00010804 _____ () C:\Users\bella\Documents\Salesperson's 9.2.14.xlsx
2014-09-02 09:28 - 2014-09-01 15:43 - 00000027 _____ () C:\Windows\system32\Drivers\etc\hosts.bak090214092805
2014-09-01 15:44 - 2014-09-01 15:44 - 00017880 _____ () C:\ComboFix.txt
2014-08-29 16:35 - 2014-08-29 17:11 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-08-29 16:34 - 2014-08-29 16:34 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-08-29 16:22 - 2014-08-29 16:22 - 00033512 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-08-29 16:22 - 2014-08-29 16:22 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-08-28 09:42 - 2014-09-16 16:48 - 00000000 ____D () C:\FRST
2014-08-27 13:28 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll
2014-08-26 16:12 - 2014-08-26 16:12 - 00000000 ____D () C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com
2014-08-26 16:12 - 2014-08-26 16:12 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-08-26 14:56 - 2014-09-01 15:44 - 00000000 ____D () C:\Qoobox
2014-08-26 14:56 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-08-26 14:56 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-08-26 14:56 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-08-26 14:56 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-08-26 14:56 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-08-26 14:56 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-08-26 14:56 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-08-26 14:56 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-08-26 14:48 - 2014-08-26 15:25 - 00000000 ____D () C:\Windows\erdnt
2014-08-26 14:45 - 2014-08-26 14:45 - 00000000 ____D () C:\Windows\ERUNT
2014-08-26 14:40 - 2014-08-26 14:41 - 00000000 ____D () C:\AdwCleaner
2014-08-26 14:22 - 2014-08-26 14:31 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-08-26 00:48 - 2014-08-26 18:11 - 00000000 ____D () C:\ProgramData\OhlapGedce
2014-08-24 23:56 - 2014-08-25 23:11 - 00000000 ____D () C:\5a792bb
2014-08-24 01:14 - 2014-08-24 01:14 - 345088437 _____ () C:\Windows\MEMORY.DMP
2014-08-23 18:30 - 2014-08-23 18:30 - 00000000 ____D () C:\Users\bella\AppData\Local\BrowserWireless
2014-08-21 00:04 - 2014-06-06 05:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-08-21 00:03 - 2014-06-17 21:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2014-08-21 00:03 - 2014-06-17 20:52 - 02350080 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-08-21 00:03 - 2014-06-05 10:26 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-08-21 00:03 - 2014-05-30 02:36 - 00338944 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-08-17 08:54 - 2014-08-20 22:45 - 00000000 ____D () C:\Users\bella\AppData\Local\ServerAudio
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-09-16 16:48 - 2014-09-16 16:48 - 00014696 _____ () C:\Users\bella\Desktop\FRST.txt
2014-09-16 16:48 - 2014-09-16 16:45 - 01097728 _____ (Farbar) C:\Users\bella\Desktop\FRST.exe
2014-09-16 16:48 - 2014-08-28 09:42 - 00000000 ____D () C:\FRST
2014-09-16 16:42 - 2014-09-16 16:42 - 00000993 _____ () C:\Users\bella\Desktop\JRT.txt
2014-09-16 16:42 - 2012-04-17 09:03 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-16 16:41 - 2009-07-14 00:34 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-16 16:41 - 2009-07-14 00:34 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-16 16:39 - 2014-09-16 16:39 - 01016035 _____ (Thisisu) C:\Users\bella\Desktop\JRT.exe
2014-09-16 16:38 - 2011-10-19 17:39 - 00000000 ____D () C:\Program Files\SAAZOD
2014-09-16 16:36 - 2014-05-15 11:13 - 00000000 ___RD () C:\Users\bella\Dropbox
2014-09-16 16:36 - 2014-05-15 11:12 - 00000000 ____D () C:\Users\bella\AppData\Roaming\Dropbox
2014-09-16 16:35 - 2013-10-16 13:50 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-09-16 16:34 - 2014-01-22 10:14 - 00000964 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-09-16 16:34 - 2013-10-16 13:50 - 00000884 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-09-16 16:34 - 2011-10-17 08:56 - 01432020 _____ () C:\Windows\WindowsUpdate.log
2014-09-16 16:33 - 2011-10-19 17:05 - 00000136 _____ () C:\Windows\system32\config\netlogon.ftl
2014-09-16 16:33 - 2010-11-20 17:48 - 00119844 _____ () C:\Windows\PFRO.log
2014-09-16 16:33 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-16 16:33 - 2009-07-14 00:39 - 00061506 _____ () C:\Windows\setupact.log
2014-09-16 16:31 - 2014-09-16 16:31 - 05579386 _____ (Swearware) C:\Users\bella\Desktop\ComboFix.exe
2014-09-16 16:31 - 2014-09-16 16:31 - 01373475 _____ () C:\Users\bella\Desktop\AdwCleaner.exe
2014-09-16 15:40 - 2014-09-11 09:13 - 00015005 _____ () C:\Users\bella\Documents\Cushman and Wakefield Leases 10.5.14.xlsx
2014-09-16 15:35 - 2014-09-11 09:09 - 00014970 _____ () C:\Users\bella\Documents\Cushman and Wakefield Listing Agmts 10.5.14.xlsx
2014-09-16 13:22 - 2011-10-20 22:20 - 00000000 ____D () C:\Users\bella\Documents\Outlook Files
2014-09-16 12:20 - 2014-09-16 12:19 - 00011902 _____ () C:\Users\bella\Documents\Legal Issues with Remax Achievers 9.17.14.xlsx
2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list.csv
2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list (2).csv
2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list (1).csv
2014-09-16 09:04 - 2011-10-20 10:51 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-09-15 16:36 - 2011-12-09 12:10 - 00000000 ____D () C:\download
2014-09-15 00:12 - 2011-10-19 17:42 - 00002269 _____ () C:\Windows\system32\ipstuffNew.txt
2014-09-13 22:25 - 2014-03-14 09:20 - 00000000 ____D () C:\Users\bella\AppData\Local\Apps\2.0
2014-09-13 22:25 - 2012-09-25 15:24 - 00000000 ____D () C:\ProgramData\Pitney Bowes
2014-09-13 22:25 - 2011-10-28 14:49 - 00000000 ____D () C:\Users\bella\AppData\Local\Google
2014-09-13 22:25 - 2011-10-20 10:52 - 00000000 ____D () C:\XFER
2014-09-13 22:25 - 2011-10-19 17:50 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-09-13 22:25 - 2011-10-19 17:09 - 00000000 ____D () C:\Users\administrator\AppData\Local\Power2Go
2014-09-13 22:25 - 2011-10-19 17:09 - 00000000 ____D () C:\Users\administrator
2014-09-13 22:24 - 2011-10-20 22:16 - 00000000 ____D () C:\Old User Accounts
2014-09-13 22:24 - 2011-10-17 08:59 - 00000000 ____D () C:\net_drvs
2014-09-13 22:23 - 2012-01-24 16:41 - 00000000 ____D () C:\bizhub 601
2014-09-12 16:20 - 2014-09-09 13:03 - 00014599 _____ () C:\Users\bella\Documents\Cushman and Wakefield One Day CE9.15.14.xlsx
2014-09-11 14:05 - 2014-09-11 14:05 - 00009399 _____ () C:\Users\bella\Documents\CE Roster Template.xlsx
2014-09-11 13:49 - 2014-09-11 13:49 - 00146352 _____ (Tim Kosse) C:\Users\bella\AppData\Roaming\ezvbho.exe
2014-09-11 00:18 - 2011-10-20 22:22 - 00000000 ____D () C:\Users\bella\AppData\Local\Windows Live Writer
2014-09-10 11:37 - 2013-10-16 13:50 - 00002135 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-09-10 11:25 - 2014-09-05 10:51 - 00000000 ____D () C:\Users\bella\AppData\Local\CrashDumps
2014-09-10 09:21 - 2014-09-10 09:21 - 00000254 _____ () C:\Windows\system32\AgentDWQ.xml
2014-09-10 09:21 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Web
2014-09-09 16:41 - 2014-09-08 12:26 - 00013923 _____ () C:\Users\bella\Documents\Realtor Care Day Roster with emails 9.12.14.xlsx
2014-09-09 15:15 - 2014-09-09 15:15 - 00009615 _____ () C:\Users\bella\Documents\Kids College Schedule Fall 2014.xlsx
2014-09-09 12:25 - 2014-09-09 12:25 - 00027136 _____ () C:\Users\bella\Documents\Salesperson's Roster 9.2.14.xls
2014-09-09 11:40 - 2014-09-09 11:27 - 00011358 _____ () C:\Users\bella\Documents\KW Livingston Legal Issues 9.10.14.xlsx
2014-09-09 09:45 - 2014-09-09 09:42 - 00009933 _____ () C:\Users\bella\Documents\Employee emails 9.9.14.xlsx
2014-09-08 19:20 - 2013-10-16 13:50 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-09-08 19:20 - 2011-10-28 14:50 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-09-08 09:15 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-09-05 11:34 - 2013-10-16 15:25 - 00223744 _____ () C:\Users\bella\Documents\2014 Volunteer Pool.xls
2014-09-02 14:04 - 2014-09-02 13:38 - 00010804 _____ () C:\Users\bella\Documents\Salesperson's 9.2.14.xlsx
2014-09-01 15:44 - 2014-09-01 15:44 - 00017880 _____ () C:\ComboFix.txt
2014-09-01 15:44 - 2014-08-26 14:56 - 00000000 ____D () C:\Qoobox
2014-09-01 15:43 - 2014-09-02 09:28 - 00000027 _____ () C:\Windows\system32\Drivers\etc\hosts.bak090214092805
2014-09-01 15:43 - 2009-07-13 22:04 - 00000215 _____ () C:\Windows\system.ini
2014-08-29 17:11 - 2014-08-29 16:35 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-08-29 16:34 - 2014-08-29 16:34 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-08-29 16:22 - 2014-08-29 16:22 - 00033512 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-08-29 16:22 - 2014-08-29 16:22 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-08-29 03:18 - 2014-09-02 15:08 - 00000050 _____ () C:\Users\bella\Desktop\errorclear.bat
2014-08-28 09:36 - 2009-07-14 00:53 - 00032612 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-08-27 09:19 - 2011-10-28 14:49 - 00000000 ____D () C:\Program Files\Google
2014-08-27 09:19 - 2011-04-27 14:30 - 00000000 ____D () C:\Windows\options
2014-08-27 09:19 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\PLA
2014-08-26 18:11 - 2014-08-26 00:48 - 00000000 ____D () C:\ProgramData\OhlapGedce
2014-08-26 16:12 - 2014-08-26 16:12 - 00000000 ____D () C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com
2014-08-26 16:12 - 2014-08-26 16:12 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-08-26 16:08 - 2011-10-28 14:49 - 00000000 ____D () C:\ProgramData\Google
2014-08-26 15:26 - 2009-07-13 22:37 - 00000000 __RHD () C:\Users\Default
2014-08-26 15:26 - 2009-07-13 22:37 - 00000000 ___RD () C:\Users\Public
2014-08-26 15:25 - 2014-08-26 14:48 - 00000000 ____D () C:\Windows\erdnt
2014-08-26 14:45 - 2014-08-26 14:45 - 00000000 ____D () C:\Windows\ERUNT
2014-08-26 14:41 - 2014-08-26 14:40 - 00000000 ____D () C:\AdwCleaner
2014-08-26 14:32 - 2010-11-20 17:29 - 00376832 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2014-08-26 14:31 - 2014-08-26 14:22 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-08-26 14:09 - 2014-04-09 12:41 - 00000074 _____ () C:\Windows\system32\xtzdkwb.yim
2014-08-26 14:04 - 2014-08-08 04:28 - 00039936 _____ () C:\Windows\system32\ecmnmao.jfy
2014-08-26 14:04 - 2014-04-09 12:31 - 00000320 _____ () C:\Windows\system32\fpfsohh.suz
2014-08-25 23:12 - 2011-10-17 08:52 - 00000000 ____D () C:\Windows\CSC
2014-08-25 23:12 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Resources
2014-08-25 23:11 - 2014-08-24 23:56 - 00000000 ____D () C:\5a792bb
2014-08-24 23:56 - 2011-10-17 08:57 - 00000280 _____ () C:\ver.txt
2014-08-24 23:56 - 2011-04-27 17:54 - 00008728 __RSH () C:\BOOTSECT.BAK
2014-08-24 01:52 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\rescache
2014-08-24 01:15 - 2009-07-14 00:33 - 00363064 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-08-24 01:14 - 2014-08-24 01:14 - 345088437 _____ () C:\Windows\MEMORY.DMP
2014-08-24 01:14 - 2011-10-17 04:51 - 00000000 ____D () C:\Windows\I386
2014-08-24 01:14 - 2010-11-20 20:47 - 00000000 ____D () C:\Program Files\Windows Journal
2014-08-24 01:14 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\AppCompat
2014-08-23 18:30 - 2014-08-23 18:30 - 00000000 ____D () C:\Users\bella\AppData\Local\BrowserWireless
2014-08-20 22:45 - 2014-08-17 08:54 - 00000000 ____D () C:\Users\bella\AppData\Local\ServerAudio
2014-08-20 09:04 - 2009-07-13 22:37 - 00000000 __RSD () C:\Windows\Media
2014-08-18 09:12 - 2009-07-14 00:52 - 00000000 ____D () C:\Windows\twain_32
Some content of TEMP:
====================
C:\Users\bella\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppmchf8.dll
C:\Users\bella\AppData\Local\Temp\Quarantine.exe

==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-09-16 14:11
==================== End Of Log ============================
 
Sorry, for some reason that one was not produced this time. I thought it might not need, but maybe it knew the tool had been run previously on that machine. I have an addition.txt from the 28th (before I started this ticket) that I will include below. Will you need me to clear things aside enough to run current one?

----------------------------------

Additional scan result of Farbar Recovery Scan Tool (x86) Version:26-08-2014
Ran by bella at 2014-08-28 09:44:36
Running from C:\download
Boot Mode: Normal
==========================================================

==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
32 Bit HP CIO Components Installer (Version: 13.1.1 - Hewlett-Packard) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.9.0.1380 - Adobe Systems Incorporated)
Adobe AIR (Version: 3.9.0.1380 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.9.900.170 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Avery Wizard 4.0 (HKLM\...\{7196E6BD-4B65-43F9-9D30-73A8E58D0E84}) (Version: 4.0.103 - Avery)
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{28857979-5507-4C10-A922-FF709A19D38C}) (Version: - Microsoft)
Dropbox (HKCU\...\Dropbox) (Version: 2.10.27 - Dropbox, Inc.)
FileMaker Pro 8.5 (HKLM\...\{34F3877C-6399-4A89-98FD-C3FE32EEE25C}) (Version: 8.5.2.0 - FileMaker, Inc.)
GFI Business Agent (HKLM\...\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}) (Version: 6.0.5481 - GFI Software)
GFI Business Agent (Version: 6.0.5481 - GFI Software) Hidden
Google Chrome (HKLM\...\Google Chrome) (Version: 37.0.2062.94 - Google Inc.)
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
Intel(R) Control Center (HKLM\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel(R) Network Connections 16.5.2.0 (HKLM\...\PROSetDX) (Version: 16.5.2.0 - Intel)
Intel(R) Network Connections 16.5.2.0 (Version: 16.5.2.0 - Intel) Hidden
Intel(R) Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2476 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.6.0.1002 - Intel Corporation)
ITSupport247-DPMA (HKLM\...\SAAZOD) (Version: 5.2.4 - Continuum Managed Services LLC)
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
KONICA MINOLTA bizhub 751/601 (HKLM\...\KONICA MINOLTA bizhub 751/601 Installer) (Version: - KONICA MINOLTA)
LG CyberLink LabelPrint (HKLM\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.2111 - CyberLink Corp.)
LG CyberLink LabelPrint (Version: 2.5.2111 - CyberLink Corp.) Hidden
LG CyberLink Power2Go (HKLM\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.2.4009 - CyberLink Corp.)
LG CyberLink Power2Go (Version: 6.2.4009 - CyberLink Corp.) Hidden
LG CyberLink PowerBackup (HKLM\...\{ADD5DB49-72CF-11D8-9D75-000129760D75}) (Version: 2.5.5529 - CyberLink Corp.)
LG CyberLink YouCam (HKLM\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 2.0.3304a - CyberLink Corp.)
LG CyberLink YouCam (Version: 2.0.3304a - CyberLink Corp.) Hidden
LG Power Tools (HKLM\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 6.0.3316 - CyberLink Corp.)
LG Power Tools (Version: 6.0.3316 - CyberLink Corp.) Hidden
LogMeIn (HKLM\...\{D3AE96EE-2876-4B3F-847C-D3A4AD689E43}) (Version: 4.1.1578 - LogMeIn, Inc.)
Malwarebytes Anti-Malware version 1.65.1.1000 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.65.1.1000 - Malwarebytes Corporation)
Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft IntelliPoint 8.2 (HKLM\...\Microsoft IntelliPoint 8.2) (Version: 8.20.468.0 - Microsoft Corporation)
Microsoft IntelliPoint 8.2 (Version: 8.20.468.0 - Microsoft Corporation) Hidden
Microsoft IntelliType Pro 8.2 (HKLM\...\Microsoft IntelliType Pro 8.2) (Version: 8.20.469.0 - Microsoft Corporation)
Microsoft IntelliType Pro 8.2 (Version: 8.20.469.0 - Microsoft Corporation) Hidden
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version: - Microsoft)
Microsoft Office 2010 Service Pack 1 (SP1) (Version: - Microsoft) Hidden
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Business 2010 (HKLM\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft XML Parser (Version: 8.70.1104.04 - Microsoft Corporation) Hidden
MSVCRT (Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Nexlink Recovery Center (HKLM\...\{0F9B474C-B65A-427E-A3A6-9B7460ED14D9}) (Version: 1.2.21 - SoftThinks)
PC Meter Connect (HKLM\...\{D39BAE47-1B85-41F6-9348-44E965009B56}) (Version: 05.00.0056.0000 - Pitney Bowes)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6438 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.1.19.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (Version: 2.1.19.0 - Renesas Electronics Corporation) Hidden
ShopAtHome.com Helper (HKLM\...\ShopAtHome.com Helper) (Version: 7.0.2.1 - ShopAtHome.com)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version: - Microsoft)
Update for Microsoft Excel 2010 (KB2837600) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{4ACD847E-547D-493F-9A86-F73EAE1B5174}) (Version: - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{302A8FE3-EBF5-486C-A431-16A1CD914443}) (Version: - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{18B3CF2A-73F7-4716-B1AE-86D68726D408}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition (HKLM\...\{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{73E67A3A-8D61-44EF-90C2-1697C3DBE668}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2566458) (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{EFB525A0-E1C0-4E32-9968-FE401BC87363}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{ED31DE9A-3E13-4E2C-9106-E0D8AFFB9FA6}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F1A20C69-9FE5-40FD-9CD5-84EABC2EF64A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{334FB202-28D7-4BA4-8BC9-4FE4AB233EA0}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B0D672F7-883E-4279-8E75-D97A5445AB46}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B0DB9F71-E0F7-4FE6-8925-35B860CAC0C4}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{C0BDC1DE-C35E-422B-8CBD-C1D555468720}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{089DBFD7-8211-43B2-AAAE-5BDD8C23E3A8}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{794A0574-4E2F-4D58-B2A0-D7460ACDC85C}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition (HKLM\...\{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{9865DC3A-2898-48D9-B96A-46397571C934}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version: - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version: - Microsoft)
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{1EEFF749-6F29-4F0B-AB08-4C6EA52AA110}) (Version: - Microsoft)
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{BC6DFBFD-16DD-47E1-A7EF-2C062930FA4F}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{334AA0A1-2BB1-4D74-B66A-2B2C4D9C2C87}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{2BA40F82-F3A4-441C-BF1A-ED4C42FF4872}) (Version: - Microsoft)
Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{7B29D8B8-6A87-496C-A65E-B935E740448A}) (Version: - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{38CF30E4-3348-4BD1-A859-B630C355A56F}) (Version: - Microsoft)
Update for Microsoft Word 2010 (KB2880529) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B9B89E01-5B6B-4F73-BC34-B2C0D8ACB4CD}) (Version: - Microsoft)
Windows Driver Package - Pitney Bowes (DM150Drv) USB (07/04/2010 2.0.1.5) (HKLM\...\BD561D5D94E7AFC181BE8A098D2EC2B90BD07068) (Version: 07/04/2010 2.0.1.5 - Pitney Bowes)
Windows Live Communications Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3502.0922 - Microsoft Corporation)
Windows Live Essentials (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
Windows Live Installer (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mail (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh ActiveX Control for Remote Connections (HKLM\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Messenger (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live SOXE (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
==================== Restore Points =========================
18-07-2014 09:44:15 Windows Update
22-07-2014 01:42:48 Windows Update
22-07-2014 01:43:44 Windows Update
22-07-2014 01:44:01 Windows Update
22-07-2014 01:44:27 Windows Update
22-07-2014 01:44:52 Windows Update
26-08-2014 23:24:00 Scheduled Checkpoint
28-08-2014 09:13:55 Windows Update
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-13 22:04 - 2014-08-26 15:25 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {5D54E216-E864-4658-AD76-A9E3104F645E} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-27] (Adobe Systems Incorporated)
Task: {71BD2A95-2994-463C-B265-733BFB1ACF9B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-10-16] (Google Inc.)
Task: {7842BDB0-3EF8-4C9D-AC97-ACFD9C3D24D9} - System32\Tasks\{EA7BDE4B-E79B-9AE7-C48B-6A7290BB8BDF} => C:\Windows\system32\bwjbt.dll/s "C:\Windows\system32\bwjbt.dll"
Task: {86F63824-521F-4B32-A196-C881D5D820F3} - System32\Tasks\{EEB24AC8-CECD-565F-1D17-BB284BABA67C} => C:\Windows\system32\vihsfy.dll/s "C:\Windows\system32\vihsfy.dll"
Task: {882EFFD9-D52E-4618-BA3E-A48DDA9DF907} - System32\Tasks\{7FD23C53-AA66-5637-7E1F-90D46F9A62AB} => C:\Windows\system32\lkzat.dll/s "C:\Windows\system32\lkzat.dll"
Task: {90EF2650-2607-42A9-A58D-2F663806107C} - System32\Tasks\{0B93B45D-6E75-45C5-BF74-94C9A1B57C5D} => C:\Program Files\FileMaker\FileMaker Pro 8.5\FileMaker Pro.exe [2007-02-13] (FileMaker, Inc.)
Task: {9400D8DC-981F-41FA-AB9B-6563A8803675} - System32\Tasks\{7FD45665-85EA-8066-EE79-5FA9A3F7CE2E} => C:\Windows\system32\nfxmxrz.dll/s "C:\Windows\system32\nfxmxrz.dll"
Task: {ACE5A76B-0FEB-40D7-AB3B-471C39A8E724} - System32\Tasks\Microsoft_Hardware_Launch_IType_exe => c:\Program Files\Microsoft IntelliType Pro\IType.exe [2011-08-10] (Microsoft Corporation)
Task: {B474333C-CBF6-4495-A845-1A0485E458A8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-10-16] (Google Inc.)
Task: {BF267A3F-37C3-4562-9B9C-7A6716F5B842} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => c:\Program Files\Microsoft IntelliPoint\IPoint.exe [2011-08-01] (Microsoft Corporation)
Task: {E9626A09-0716-4133-9EF9-088C9EA46DA6} - System32\Tasks\{E064ED84-AD37-CF9C-9AF8-5214DAA12C73} => C:\Windows\system32\qywcwk.dll/s "C:\Windows\system32\qywcwk.dll"
Task: {F4DCB859-DA48-40EE-9001-B5AFDF2CC19B} - System32\Tasks\{2418D788-DCD6-326A-E4C6-FACCA1838469} => C:\Windows\system32\cxelqm.dll/s "C:\Windows\system32\cxelqm.dll"
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
==================== Loaded Modules (whitelisted) =============
2009-10-02 00:07 - 2012-01-24 16:41 - 00011264 _____ () C:\Windows\System32\KOBZFS_L.dll
2009-10-02 00:07 - 2012-01-24 16:42 - 00011264 _____ () C:\Windows\System32\KOBZFA_L.dll
2009-10-02 00:07 - 2012-01-24 16:42 - 00011264 _____ () C:\Windows\System32\KOBZFW_L.DLL
2012-02-20 23:26 - 2012-02-20 23:26 - 00160768 _____ () C:\Program Files\GFI Software\GFIAgent\unrar.dll
2009-12-15 13:46 - 2009-12-15 13:46 - 00619816 ____N () C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll
2009-12-15 13:49 - 2009-12-15 13:49 - 00013096 ____N () C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll
2011-10-17 04:38 - 2011-08-09 07:44 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll
2014-08-28 09:37 - 2014-08-28 09:37 - 00043008 _____ () c:\users\bella\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpg00pge.dll
2013-08-23 15:01 - 2013-08-23 15:01 - 25100288 _____ () C:\Users\bella\AppData\Roaming\Dropbox\bin\libcef.dll
2012-12-04 23:49 - 2014-06-20 06:08 - 00192376 _____ () C:\Program Files\GFI Software\GFIAgent\Definitions\libBase64.dll
2012-12-04 23:49 - 2014-06-20 06:08 - 00180088 _____ () C:\Program Files\GFI Software\GFIAgent\Definitions\libMachoUniv.dll
2014-08-27 13:56 - 2014-08-27 13:56 - 00718152 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\libglesv2.dll
2014-08-27 13:56 - 2014-08-27 13:56 - 00126280 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\libegl.dll
2014-08-27 13:56 - 2014-08-27 13:56 - 08537928 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\pdf.dll
2014-08-27 13:56 - 2014-08-27 13:56 - 00353096 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\ppGoogleNaClPluginChrome.dll
2014-08-27 13:56 - 2014-08-27 13:56 - 01732936 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\ffmpegsumo.dll
2014-08-27 13:56 - 2014-08-27 13:56 - 14669128 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\PepperFlash\pepflashplayer.dll
2013-09-20 22:08 - 2013-09-20 22:08 - 00172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\f74734b086803d04e7f573d7853cfc8a\IsdiInterop.ni.dll
2011-10-17 08:58 - 2011-05-20 10:05 - 00059904 _____ () C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
2014-08-27 17:37 - 2014-08-19 18:16 - 01098056 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\libglesv2.dll
2014-08-27 17:37 - 2014-08-19 18:16 - 00174408 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\libegl.dll
2014-08-27 17:37 - 2014-08-19 18:16 - 08577864 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\pdf.dll
2014-08-27 17:37 - 2014-08-19 18:16 - 00331592 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\ppGoogleNaClPluginChrome.dll
2014-08-27 17:37 - 2014-08-19 18:16 - 01660232 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\ffmpegsumo.dll
2014-08-27 17:37 - 2014-08-19 18:16 - 14669128 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\PepperFlash\pepflashplayer.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "imagepath"=""C:\PROGRA~1\SAAZOD\zRealTime\SAAZappr.exe" SAAZappr"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "ObjectName"="LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "Start"="2"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "type"="110"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "imagepath"=""C:\PROGRA~1\SAAZOD\zRealTime\SAAZapsc.exe" SAAZapsc"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "ObjectName"="LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "Start"="2"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "type"="110"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBPIMSvc => ""="Service"
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)
MSCONFIG\Services: SBAMSvc => 2
MSCONFIG\Services: SBPIMSvc => 2
MSCONFIG\startupfolder: C:^Users^bella^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk => C:\Windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: BrowserWireless => C:\Windows\system32\rundll32.exe "C:\Users\bella\AppData\Local\BrowserWireless\BrowserWireless.dll",DllRegisterServer
MSCONFIG\startupreg: SBAMTray => "C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe"
MSCONFIG\startupreg: swg => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
==================== Faulty Device Manager Devices =============
Name: SASDIFSV
Description: SASDIFSV
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: SASDIFSV
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
Name: SASKUTIL
Description: SASKUTIL
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: SASKUTIL
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
Name: Unknown Device
Description: Unknown Device
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service:
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

==================== Event log errors: =========================
Application errors:
==================
Error: (08/28/2014 00:33:33 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (08/28/2014 00:31:19 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (08/28/2014 00:30:14 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (08/27/2014 00:32:49 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (08/27/2014 00:31:18 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (08/27/2014 00:30:16 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (08/26/2014 04:37:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: program.com, version: 6.0.0.1130, time stamp: 0x53ed0696
Faulting module name: program.com, version: 6.0.0.1130, time stamp: 0x53ed0696
Exception code: 0xc0000417
Fault offset: 0x0019ba66
Faulting process id: 0xf4c
Faulting application start time: 0xprogram.com0
Faulting application path: program.com1
Faulting module path: program.com2
Report Id: program.com3

System errors:
=============
Error: (08/28/2014 09:36:28 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SASDIFSV
SASKUTIL
Error: (08/28/2014 09:36:14 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain NORTHCENT due to the following:
%%1311
This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.
Error: (08/28/2014 09:36:11 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:34:39 AM on ‎8/‎28/‎2014 was unexpected.
Error: (08/28/2014 09:30:15 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WPDBusEnum service.
Error: (08/28/2014 09:28:54 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMService service terminated unexpectedly. It has done this 1 time(s).
Error: (08/28/2014 09:28:54 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
Error: (08/28/2014 09:28:54 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Interactive Services Detection service terminated unexpectedly. It has done this 1 time(s).
Error: (08/28/2014 09:28:46 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
Error: (08/28/2014 09:28:45 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Rapid Storage Technology service terminated unexpectedly. It has done this 1 time(s).
Error: (08/28/2014 09:28:45 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Management and Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s).

Microsoft Office Sessions:
=========================
Error: (08/28/2014 00:33:33 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\pitney bowes\pc meter connect\usbdriver\dpinst64.exe
Error: (08/28/2014 00:31:19 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\konica minolta\printerdrivers\BZ751\Setup64.exe
Error: (08/28/2014 00:30:14 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Program Files\Pitney Bowes\PC Meter Connect\USBDriver\dpinst64.exe
Error: (08/27/2014 00:32:49 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\pitney bowes\pc meter connect\usbdriver\dpinst64.exe
Error: (08/27/2014 00:31:18 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\konica minolta\printerdrivers\BZ751\Setup64.exe
Error: (08/27/2014 00:30:16 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Program Files\Pitney Bowes\PC Meter Connect\USBDriver\dpinst64.exe
Error: (08/26/2014 04:37:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: program.com6.0.0.113053ed0696program.com6.0.0.113053ed0696c00004170019ba66f4c01cfc16a111d3e8eC:\Users\bella\AppData\Local\Temp\SAS_SelfExtract\program.comC:\Users\bella\AppData\Local\Temp\SAS_SelfExtract\program.comd8489457-2d60-11e4-8b2e-e06995d2bdaa

==================== Memory info ===========================
Processor: Intel(R) Core(TM) i3-2102 CPU @ 3.10GHz
Percentage of memory in use: 71%
Total physical RAM: 3493.4 MB
Available physical RAM: 990.8 MB
Total Pagefile: 6985.09 MB
Available Pagefile: 4071.74 MB
Total Virtual: 2047.88 MB
Available Virtual: 1853.12 MB
==================== Drives ================================
Drive c: (SYSTEM) (Fixed) (Total:455.33 GB) (Free:403.58 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive r: (New Volume) (Network) (Total:250 GB) (Free:173.81 GB) NTFS
Drive t: (New Volume) (Network) (Total:250 GB) (Free:173.81 GB) NTFS
Drive u: (New Volume) (Network) (Total:250 GB) (Free:173.81 GB) NTFS
Drive w: (New Volume) (Network) (Total:250 GB) (Free:173.81 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 304647AA)
Partition 1: (Active) - (Size=10.4 GB) - (Type=27)
Partition 2: (Not Active) - (Size=455.3 GB) - (Type=07 NTFS)
==================== End Of Log ============================
 
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

Attachments

  • fixlist.txt
    2.5 KB · Views: 7
Back